Mozilla has released Firefox 115 to the stable channel with patches for a dozen vulnerabilities, including two high-severity use-after-free bugs.
The first hugh severity vulnerability tracked as CVE-2023-37201 is described as a use-after-free flaw in WebRTC certificate generation. An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
The second high-severity vulnerability, CVE-2023-37202, is described as a potential use-after-free issue from compartment mismatch in the open source JavaScript and WebAssembly engine SpiderMonkey. Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment, resulting in a use-after-free.
The latest version also addresses high-severity memory safety bugs that might have led to the execution of arbitrary code. The flaws tracked as CVE-2023-37211 and CVE-2023-37212.
Firefox 115 also includes patches for eight medium-severity vulnerabilities
- CVE-2023-37203: Drag and Drop API may provide access to local system files
- CVE-2023-37204: Fullscreen notification obscured via option element
- CVE-2023-37205: URL spoofing in address bar using RTL characters
- CVE-2023-37206: Insufficient validation of symlinks in the FileSystem API
- CVE-2023-37207: Fullscreen notification obscured
- CVE-2023-37208: Lack of warning when opening Diagcab files
- CVE-2023-37209: Use-after-free in `NotifyOnHistoryReload`
- CVE-2023-3482: Block all cookies bypass for local storage
Additional information on the resolved vulnerabilities can be found on Mozilla’s security advisories page.
